Presently we have a full mesh network. I don't want to go to a hub and spoke model, but I would like to implement dynamic on demand tunnels. I am trying to set one data center as the primary hub, and another data center as the secondary hub. Issue I am having, is I have tried setting a preference in various ways, but the branches will randomly connect to either of the hubs for its initial connection. I thought when I upgraded from 20.3.3 to 20.3.4, it resolved the issue, but after a short period of time, the behavior returned. Wondering if anyone has implemented this, sees an issue with the config, or has a suggestion. Thanks.

control-policy BR-OUT-Policy
sequence 1
match route
site-list BR-VPN3
prefix-list _AnyIpv4PrefixList
!
action accept
set
tloc-action backup
preference 1000
tloc-list PRI-HUB
!
!
!
sequence 11
match route
site-list BR-VPN3
prefix-list _AnyIpv4PrefixList
!
action accept
set
tloc-action backup
preference 900
tloc-list SEC-HUB
!
!
!
sequence 21
match tloc
tloc-list PRI-HUB
!
action accept
!
!
sequence 31
match tloc
tloc-list SEC-HUB
!
action accept
!
!
default-action accept
!
site-list HUB1
site-id 101
!
site-list BR-VPN3
site-id 110-199
!
site-list HUB2
site-id 100
!
tloc-list PRI-HUB
tloc 192.168.1.1 color blue encap ipsec
tloc 192.168.1.2 color mpls encap ipsec
tloc 192.168.1.3 color biz-internet encap ipsec
!
tloc-list SEC-HUB
tloc 192.168.2.1 color blue encap ipsec
tloc 192.168.2.2 color mpls encap ipsec
tloc 192.168.2.3 color biz-internet encap ipsec
!
site-list BR-VPN3
control-policy BR-OUT-Policy out